Allow PassSync user to locate and update NT users

Add new PassSync Service privilege that have sufficient access to let AD PassSync service search for NT users and update the password. To make sure existing PassSync user keeps working, it is added as a member of the new privilege. New update plugin is added to add link to the new privilege to the potentially existing PassSync user to avoid breaking the PassSync service. https://fedorahosted.org/freeipa/ticket/4837 Reviewed-By: David Kupka <dkupka@redhat.com>
author: Martin Kosek <mkosek@redhat.com> 2015-01-13 18:09:17 +0100
committer: Martin Kosek <mkosek@redhat.com> 2015-01-19 16:49:27 +0100
commit: 6652c4eb2ebece71b6d60001246bd0fee5909099 (patch)
tree: 4bd5a7e2753ddf721b7bb785582c7ca8b946463b /ipaserver
parent: 5672eb14def7b2010f1d08825eec58ff1444073f (diff)
download: freeipa-6652c4eb2ebece71b6d60001246bd0fee5909099.tar.gz
freeipa-6652c4eb2ebece71b6d60001246bd0fee5909099.tar.xz
freeipa-6652c4eb2ebece71b6d60001246bd0fee5909099.zip
2 files changed, 107 insertions, 25 deletions
diff --git a/ipaserver/install/plugins/update_passsync.py b/ipaserver/install/plugins/update_passsync.py
new file mode 100644
index 000000000..d6595a06f
--- /dev/null
+++ b/ipaserver/install/plugins/update_passsync.py
@@ -0,0 +1,78 @@
+#
+# Copyright (C) 2014  FreeIPA Contributors see COPYING for license
+#
+
+from ipaserver.install.plugins import MIDDLE, LAST
+from ipaserver.install.plugins.baseupdate import PreUpdate, PostUpdate
+from ipalib import api, errors
+from ipapython.dn import DN
+from ipapython.ipa_log_manager import root_logger
+from ipaserver.install import sysupgrade
+
+class update_passync_privilege_check(PreUpdate):
+    order = MIDDLE
+
+    def execute(self, **options):
+        update_done = sysupgrade.get_upgrade_state('winsync', 'passsync_privilege_updated')
+        if update_done:
+            root_logger.debug("PassSync privilege update pre-check not needed")
+            return False, False, []
+
+        root_logger.debug("Check if there is existing PassSync privilege")
+
+        passsync_privilege_dn = DN(('cn','PassSync Service'),
+                self.api.env.container_privilege,
+                self.api.env.basedn)
+
+        ldap = self.obj.backend
+        try:
+            ldap.get_entry(passsync_privilege_dn, [''])
+        except errors.NotFound:
+            root_logger.debug("PassSync privilege not found, this is a new update")
+            sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', False)
+        else:
+            root_logger.debug("PassSync privilege found, skip updating PassSync")
+            sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True)
+
+        return False, False, []
+
+api.register(update_passync_privilege_check)
+
+class update_passync_privilege_update(PostUpdate):
+    """
+        Add PassSync user as a member of PassSync privilege, if it exists
+    """
+
+    order = LAST
+
+    def execute(self, **options):
+        update_done = sysupgrade.get_upgrade_state('winsync', 'passsync_privilege_updated')
+        if update_done:
+            root_logger.debug("PassSync privilege update not needed")
+            return False, False, []
+
+        root_logger.debug("Add PassSync user as a member of PassSync privilege")
+        ldap = self.obj.backend
+        passsync_dn = DN(('uid','passsync'), ('cn', 'sysaccounts'), ('cn', 'etc'),
+            api.env.basedn)
+        passsync_privilege_dn = DN(('cn','PassSync Service'),
+                self.api.env.container_privilege,
+                self.api.env.basedn)
+
+        try:
+            entry = ldap.get_entry(passsync_dn, [''])
+        except errors.NotFound:
+            root_logger.debug("PassSync user not found, no update needed")
+            sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True)
+            return False, False, []
+        else:
+            root_logger.debug("PassSync user found, do update")
+
+        update = {'dn': passsync_privilege_dn,
+                  'updates': ["add:member:'%s'" % passsync_dn]}
+        updates = {passsync_privilege_dn: update}
+
+        sysupgrade.set_upgrade_state('winsync', 'passsync_privilege_updated', True)
+        return (False, True, [updates])
+
+api.register(update_passync_privilege_update)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 5778cab03..66764c22f 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -528,39 +528,43 @@ class ReplicationManager(object):
         print "The user for the Windows PassSync service is %s" % pass_dn
         try:
             conn.get_entry(pass_dn)
-            print "Windows PassSync entry exists, not resetting password"
-            return
+            print "Windows PassSync system account exists, not resetting password"
         except errors.NotFound:
-            pass
-
-        # The user doesn't exist, add it
-        entry = conn.make_entry(
-            pass_dn,
-            objectclass=["account", "simplesecurityobject"],
-            uid=["passsync"],
-            userPassword=[password],
-        )
-        conn.add_entry(entry)
+            # The user doesn't exist, add it
+            print "Adding Windows PassSync system account"
+            entry = conn.make_entry(
+                pass_dn,
+                objectclass=["account", "simplesecurityobject"],
+                uid=["passsync"],
+                userPassword=[password],
+            )
+            conn.add_entry(entry)
 
-        # Add it to the list of users allowed to bypass password policy
+        # Add the user to the list of users allowed to bypass password policy
         extop_dn = DN(('cn', 'ipa_pwd_extop'), ('cn', 'plugins'), ('cn', 'config'))
         entry = conn.get_entry(extop_dn)
-        pass_mgrs = entry.get('passSyncManagersDNs')
-        if not pass_mgrs:
-            pass_mgrs = []
-        if not isinstance(pass_mgrs, list):
-            pass_mgrs = [pass_mgrs]
+        pass_mgrs = entry.get('passSyncManagersDNs', [])
         pass_mgrs.append(pass_dn)
         mod = [(ldap.MOD_REPLACE, 'passSyncManagersDNs', pass_mgrs)]
-        conn.modify_s(extop_dn, mod)
-
-        # And finally grant it permission to write passwords
-        mod = [(ldap.MOD_ADD, 'aci',
-            ['(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Windows PassSync service can write passwords"; allow (write) userdn="ldap:///%s";)' % pass_dn])]
         try:
-            conn.modify_s(self.suffix, mod)
+            conn.modify_s(extop_dn, mod)
+        except ldap.TYPE_OR_VALUE_EXISTS:
+            root_logger.debug("Plugin '%s' already '%s' in passSyncManagersDNs",
+                    extop_dn, pass_dn)
+
+        # And finally add it is a member of PassSync privilege to allow
+        # displaying user NT attributes and reset passwords
+        passsync_privilege_dn = DN(('cn','PassSync Service'),
+                api.env.container_privilege,
+                api.env.basedn)
+        members = entry.get('member', [])
+        members.append(pass_dn)
+        mod = [(ldap.MOD_REPLACE, 'member', members)]
+        try:
+            conn.modify_s(passsync_privilege_dn, mod)
         except ldap.TYPE_OR_VALUE_EXISTS:
-            root_logger.debug("passsync aci already exists in suffix %s on %s" % (self.suffix, conn.host))
+            root_logger.debug("PassSync service '%s' already have '%s' as member",
+                    passsync_privilege_dn, pass_dn)
 
     def setup_winsync_agmt(self, entry, win_subtree=None):
         if win_subtree is None:
author	Martin Kosek <mkosek@redhat.com>	2015-01-13 18:09:17 +0100
committer	Martin Kosek <mkosek@redhat.com>	2015-01-19 16:49:27 +0100
commit	6652c4eb2ebece71b6d60001246bd0fee5909099 (patch)
tree	4bd5a7e2753ddf721b7bb785582c7ca8b946463b /ipaserver
parent	5672eb14def7b2010f1d08825eec58ff1444073f (diff)
download	freeipa-6652c4eb2ebece71b6d60001246bd0fee5909099.tar.gz freeipa-6652c4eb2ebece71b6d60001246bd0fee5909099.tar.xz freeipa-6652c4eb2ebece71b6d60001246bd0fee5909099.zip